The primary purpose of this blog is to aid the occasional Google researcher in the field of computer forensics. The content may not be ground breaking or earth shattering, but simply a way to pass along what I hope is useful information.

Pages

Monday, August 13, 2012

Windows Backup and Restore

A recent investigation led me to a Windows Backup file.Windows 7 as well as Windows Vista includes a
utility allowing the user to backup and restore folders, files and system
information. This is not the same as Volume Shadow Copies (VSCs), another method
wherein Windows backs up files.For information
on how to examine VSCs check out Harlan Carvey's book, or other blog posts here and here.Depending on the version on
Windows, the backup can be stored on an external device, such as USB drive or
over the network (Windows 7 Pro/Ultimate). My research was done with Windows 7 Home Premium and Ultimate.

Interestingly enough, if an end user looks at this backup through Windows,
they will only see the top level folder:

Windows Backup creates multiple zip files containing the files/folders that where
backed up. True, if you mount the zip files in your favorite all in one
forensic tool you will have access to all these files in their glory. You can
run keyword searches until you are giddy, and forensicate to your heart’s
content, BUTthe dates in the zip file
are the dates the backup was created, not the date the file was originally created
or modified.That being said, Windows Backup
tracks these original dates which may come in handy.

Windows Backup tracks the names of the folders, files and original dates in a file named
GlobalCatalog.wbcat under ComputerName\Backup
File YYYY-MM-DD ######\Catalogs. If you do not have access to the back up media, a local GlobalCatalog.wbcat file is created. I discuss this in more detail below.
Ideally, this file could be parsed for all of this information, with the
results displayed in a nice format, CSV or otherwise.I have been looking at this file in hex trying to
figure out a way to accomplish this. So far, I have located the file names,
folders and dates, but have not figured out how the records are tied together within
the file.Boooo…. If you know of any
existing program or script that can parse the data, or know the file format, please let me
know. If you are interested in seeing a sample of what I have located so far, contact me (arizona4n6 at gmail dot com) and I can send it to you.

As such, viewing the backup file natively through Windows Backup is the only
method I have discovered to see the original dates for the files and folders.
Step by Step directions follow:

Export the backup files from your image to an
external device. If you prefer to mount the image, create a VHD using Vhdtool on a DD image and attached the VHD through the Disk Manager. Make sure its a copy of your image as Vhdtool will make changes to it. This should sound familiar if you have read Harlan's Post on using the Vhdtool to examine VSCs. I tried to mount the image using FTK Imager and the backup file was not seen by Window's Backup.

Got to Restore>Select another backup to restore
files from. It should auto locate the Windows Backup.

Next, Search for *.*, and all the files will be listed or you can browse to a particular file if you please. By default, only the Date Modified is
listed.If you right click the title
bar, you can select the Date Created as well. If you use the Browse function instead of Search, you will also have the option to see the backup date.

Now, instead of seeing all the same dates and times for the files contained
within the zip files, you are presented with the original Date Created and Date Modified for files. As I mentioned before, it would be soooooo nice to have this
information parsed directly from theGlobalCatalog.wbcatfile.

Windows Backup Registry Entries
When a Windows Backup is created an entry is made or updated in the Software Hive under
the key \Microsoft\Windows\
CurrentVersion\WindowsBackup\.

This key holds various sub keys with information regarding the backup
including USB device information. This
USB information may come in handy if you are also conducting link analysis/USB analysis and can be cross referenced with other registry keys.

According to my testing, the LastResultTime and LastSuccess will be the same if the backup completed. If the backup did not complete or was cancelled, these times will be different, and the LastResultTime will contain the time of the attempted backup.

I have created an Reg Ripper plugin and passed it along. It should be included in the next disto.

This local GlobalCatalog.wbcat file seems to contain not only entries for the last backup, but for previous backups done, as well as previous media used. This could be helpful if you need to locate/subpena various devices that contain backups. Below are some results from running Strings across this file:

1 comment:

Windows Backup and Restore option are really good for me. Because at this time create more problems about it. So you can giving to me greatest information about it. Thanks for sharing to good information.